Best Lawyers logo
 
Insight

Breach Under HIPAA May Have Occurred: Am I Required to Notify?

Understanding when a privacy violation rises to the level of a reportable HIPAA breach—and how to evaluate risk under HHS guidance.

Cornell H. Kennedy

Written by Cornell H. Kennedy

Published: December 13, 2024

Breach Under HIPAA May Have Occurred: Am I Required to Notify?

September 25, 2014 | Sherrard Roe Blog I Cornell H. Kennedy

As you may know, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) imposes standards for the use and disclosure of protected health information (“PHI”) through its privacy rule (“Privacy Rule”) and imposes standards for the protection of electronic PHI through its security rule (“Security Rule”). As of September 2009, entities covered by HIPAA, including health plans and health care providers (“covered entities”), must notify individuals when their “unsecured” PHI (PHI that is unencrypted) has been breached.

A breach exists if there is an acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule, and such action compromises the security or privacy of the PHI.

The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) includes three exceptions to the definition of “breach,” which include situations where a violation of the Privacy Rule has occurred, but the violation is not to be considered a breach. Those include:

  1. A breach excludes any unintentional acquisition, access or use of PHI by a workforce member (including volunteer or trainee) or person acting under the authority of a covered entity or business associate, if the acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule.
  2. A breach excludes inadvertent disclosures of PHI from a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate or organized health care arrangement in which the covered entity participates.
  3. Also exempted are disclosures of PHI where a covered entity or a business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

If it is established that the acquisition, access, use or disclosure of PHI violates the Privacy Rule, and that the breach does not meet any of the three regulatory exceptions, a breach is presumed unless, through a risk assessment, the covered entity determines that there is a Low Probability that the data has been Compromised (“LoProCo”). To make this determination, the U.S. Department of Health and Human Services (“HHS”) provides that covered entities and business associates must conduct a risk assessment, taking into consideration, among other things, the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. Who was the unauthorized person who received or accessed the PHI;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

For example, assume that a hospital sends a fax with patient medical information to the wrong fax number outside of the hospital. In performing this analysis, the covered entity should:

  1. Determine whether the PHI – the medical information – identifies the patient, which it is likely it does;
  2. Consider who received the fax. Was it sent to another covered entity that also has confidentiality requirements, which would be viewed as favorable? Or was it sent to a local business that does not have confidentiality requirements?;
  3. Determine whether or not the PHI was actually acquired or viewed or whether there was an opportunity for the PHI to be acquired or viewed. The probability of compromise is lower if only the opportunity existed for the PHI to be acquired or viewed but the PHI was not actually acquired or viewed. However, the covered entity should presumed that the fax was viewed unless further information provides that there was no opportunity to view or acquire the information and;
  4. Mitigate the breach by requesting that the recipient either return or destroy the information.

If the covered entity makes the determination through an in-depth LoProCo analysis that the breach of the PHI does not pose a significant risk of financial, reputational or other harm to the individual, then no breach notification is required. As matter of prudent business practice, the covered entity should always document their risk assessments in order to demonstrate, if necessary, that no breach notification was required.

Trending Articles

Recognizing Legal Leaders: The 2027 Best Lawyers Awards in Australia, Japan and Singapore

by Jamilla Tabbara

Market drivers, diversity trends and the elite practitioners shaping the legal landscape.

Illustrated maps of Australia, Japan and Singapore displayed with their national flags, representing

How Far Back Can the IRS Audit You?

by Bryan Driscoll

Clear answers on IRS statutes of limitations, recordkeeping and what to do if you are under review.

Gloved hand holding a spread of one-hundred-dollar bills near an IRS tax document

Musk v. Altman: The Lawyers Behind the Case

by Jamilla Tabbara

Meet the Trial Lawyers Shaping One of AI's Biggest Legal Disputes.

Portrait photos of Elon Musk and Sam Altman positioned in front of the OpenAI logo.

The Best Lawyers in France 2027: Peer-Reviewed Excellence

by Jamilla Tabbara

Seventeen editions of peer trust, a growing profession and a dynamic legal market.

3D Map of France with National Flag Graphic

Announcing the 2027 Best Lawyers Awards: Austria, Germany and Switzerland

by Jamilla Tabbara

Celebrating the legal professionals throughout Central Europe.

Graphic displaying three-dimensional map cutouts of Austria, Germany and Switzerland.

The Legal Teams Behind the Blake Lively–Justin Baldoni Settlement

by Grace Greer

A closer look at the legal teams and attorneys involved in the Blake Lively–Justin Baldoni litigation and its resolution.

Split-screen image of Blake Lively and Justin Baldoni

How AI Is Changing the Way Clients Find Lawyers

by Jamilla Tabbara

Best Lawyers CEO Phil Greer explains how AI-driven search tools are reshaping legal marketing and why credibility markers matter.

AI chat bubble icon with stars representing artificial intelligence transforming client-lawyer conne

Colorado’s 2026 Water Rights Battles

by Bryan Driscoll

A new era of conflict begins.

Colorado Water Rights 2026: A New Era of Conflict headline

When Is It Too Late to Stop Foreclosure?

by Bryan Driscoll

Understanding the foreclosure timeline, critical deadlines and the legal options that may still protect your home.

Miniature house model on orange background surrounded by thumbtacks representing foreclosure

Can You Go to Jail at an Arraignment?

by Bryan Driscoll

Understanding What Happens at Your First Court Appearance.

A heavy chain lying on the ground in the foreground with a blurred figure standing in the background

What’s the Difference Between DUI and DWI?

by Bryan Driscoll

Understanding the terminology and consequences of impaired driving charges.

Driver during nighttime police traffic stop with officer's flashlight shining through car window

How to Choose a Personal Injury Lawyer

by Bryan Driscoll

Finding the right legal representation after an injury is a critical decision that requires careful evaluation. 

3D scene representing the deliberative process of choosing a personal injury attorney

What Happens if You Don't File Taxes

by Bryan Driscoll

The penalties are real, but so are your options. Here's what the IRS can do and what you can do about it.

A torn dollar bill revealing a watchful eye, surrounded by flying documents

When to Get a Lawyer for Work Injury

by Bryan Driscoll

Understanding your rights and navigating the complexity of workers’ compensation claims.

Injured worker receiving medical attention at workplace

What Disqualifies You From Filing Bankruptcies

by Bryan Driscoll

A guide to navigating eligibility, the means test and the legal hurdles of declaring bankruptcy.

A silhouette of a large hand pushing over a row of falling dominos toward a small figure standing be

Legal Separation vs. Divorce

by Bryan Driscoll

A clear guide to understanding the legal, financial and emotional differences between separating and ending a marriage.

Miniature figures of two people standing apart with a child figure between them on a cracked surface

By using our website, you consent to our use of cookies. We use essential cookies to enhance your browsing experience. You may opt out of non-essential cookies. Read our Cookie Policy to learn more.